Nortel Networks 5510, 5520, 5530 manual QoS Access Lists ACL, IP-ACL Configuration

Page 26

Filters and QoS Configuration for ERS 5500

 

 

Technical Configuration Guide

v2.0

NN48500-559

7. QoS Access Lists (ACL)

As of software release 5.0, the ERS55xx can be configured using access lists (ACL). You can choose to use policies and/or ACL’s to configure the ERS5500 switch. Up to a maximum of 15 precedence levels are supported using policies whereas ACL’s allows up to a maximum of 8 precedence levels.

Please be aware of the following when using ACLs:

By default, ACL’s are always terminated by an implicit action of “drop all non-matching traffic”. The default action of “drop all non-matching traffic” cannot be changed.

ACL precedence is always in the order the ACL’s are entered

ACL’s are applied at a port level

Up to 8 precedence levels are supported, however, you can use ACL blocks if you have similar filter rules - please see classifier block explanation in section 3.2

When an ACL is assigned to a port, the ACL is assigned the highest precedence value available on the port. Each additional ACL that is added is then assigned decreasing precedence levels. Any policies (QoS or non-QoS) already associated with a port dictate the starting and subsequent precedence values for the ACL(s).

You cannot assign traffic meters

IP and L2 ACL’s cannot be combined. If you wish to combine L2 and L3, policies must be used

ACL’s cannot be modified; you must first remove the ACL-assign configuration at a port level, then delete the ACL or ACL’s you wish to modify and reconfigure the ACL or ACL’s.

ACL’s can be enabled or disabled. However, you cannot update or change the associated precedence values when the ACL is disabled.

You can only configure ACL’s using CLI or http (QoS Wizard). Although JDM will display the ACL configuration, you cannot use JDM to either configure or delete ACL’s.

7.1ACL Configuration

7.1.1 IP-ACL Configuration

IP ACL’s are added using the following command:

5500 (config)#qos ip-acl name <1..16 character string> ?

addr-type block

drop-action ds-field dst-ip dst-port-min

flow-id next-header protocol set-drop-prec src-ip src-port-min update-1p update-dscp <cr>

Specify the address type (IPv4, IPv6) classifier criteria Specify the label to identify access-list elements that are of the same block

Specify the drop action

Specify the DSCP classifier criteria

Specify the destination IP classifier criteria

Specify the L4 destination port minimum value classifier criteria

Specify the IPv6 flow identifier classifier criteria Specify the IPv6 next header classifier criteria Specify the IPv4 protocol classifier criteria Specify the set drop precedence

Specify the source IP classifier criteria

Specify the L4 source port minimum value classifier criteria Specify the update user priority

Specify the update DSCP

___________________________________________________________________________________________________________________________

Nortel Confidential Information Copyright © 2008 Nortel Networks. All Rights Reserved.

 

External Distribution

25

Page 25 Page 27
Image 26
Page 25 Page 27
Contents Ethernet Routing Switch NN48500-559 Abstract Table of Contents List of Figures List of TablesConventions Document UpdatesSymbols TextOverview Ethernet Routing Switch 5500 QoS and Filtering Unrestricted Ports ClassificationUntrusted Ports ƒ Layer 2 Classifier ElementsActions Supported StatisticsQoS Flow Chart Classifier Block Functionality Filter FunctionalityOverall Classification Functionality Port Range Functionality 7, 15, 31, 63 255, 511, 1025 4095, 8191 32762, or Min =Default Policy Drop Action PoliciesNN48500-559 Queue Sets 5520-24T-PWRconfig#qos agent buffer large maximum regular5520-24T-PWRconfig#default qos agent buffer Ethernet Routing Switch 5500 Egress CoS Queuing Egress CoS QueuingCoS 5520-24T-PWRconfig#show qos queue-set-assignment 5520-24T-PWRconfig#qos agent queue setEgress Queue Recommendations 5520-24T-PWRconfig#default qos agent queue-set5520-24T-PWRconfig#qos agent reset-default Traffic Meter and Shaping Bucket SizeActual Bucket Size in Bytes Actual size in bytes Interface Actual Bucket SizePolicing Traffic Parameter DescriptionExample Bucket Size Max burst rate Committed rate Duration MSec Interface ShaperMeter Bucket Size and Duration 5530-24TFDconfig#show qos if-shaper port Binary Default Nortel Class of ServiceDefault Nortel CoS Markings Hex DecimalIP-ACL Configuration QoS Access Lists ACLACL Configuration Config#qos ip-acl name 1..16 character string ?ACL Configuration Example 2 L2-ACL ConfigurationACL-Assign Configuration Config#qos l2-acl name 1..16 character string ?5530H-24TFD#show qos ip-acl Verification5530H-24TFD#show qos acl-assign 5530H-24TFD#show qos policy 5500config#no qos ip-acl 5500config#no qos acl-assign5500config#no qos acl-assign 1 port 1/19 Changing ACLDynamic ARP Inspection Configuration IP Security FeaturesDhcp Snooping Configuration Dhcp SnoopingIP Source Guard Configuration IP Source GuardBpdu Filtering Configuration Bpdu FilteringQoS Applications Number of Classifiers Used Feature QoS Interface ApplicationsConfiguration Example ARP SpoofingDhcp Attacks Dhcp Snooping10.3 DoS Bpdu Blocking ERS5500-48T#show qos if-assign Configuration Steps Policy ConfigurationRole Combination ERS5500-48T#show qos if-groupAdding IP and L2 Element ERS5500-48Tconfig#qos ip-element 1-64000?Classification IP ElementAdding a Classifier Adding a Classifier BlockMeters Parameters and variables DescriptionAdd a New Policy QoS Action Configuration ExamplesPre-defined Values Configure the Interface Role Combination Configuration Example 1 Traffic Meter Using Policies12.2.1 ERS5500 Configuration Using Policies Configure the IP elementsERS5500 Create the classifier block Configure MetersConfigure the Classifier Block ERS5500 Create the policy Configure the PolicyVerify Operations Verify the Role CombinationVerify Classifier and Classifier Block Configuration Name m1ERS5500-24T#show qos classifier-block Verify Policy Configuration Verify that the QoS Policy 12.3.1 ERS5500 Configuration IP ACL, Dhcp Snooping, ARP Inspection, and Source GuardERS5500 Add IP address to Vlan 700 and enable Ospf ERS5500 Enable ARP-Inspection for VLAN’s 110 ERS5500 Assign the IP-ACL’s to ports Verify DHCP-SnoopingVerify ARP Inspection VIDVerify ACL Configuration Verify IP Source GuardNN48500-559 NN48500-559 ERS5500-24T#show qos acl-assign Configuration Example 3 Port Range Using ACL or Policy TCP Port RangeERS5500 Create IP elements for UDP port range Configuration Using PoliciesConfigure the Policies Configuration Using IP-ACL’s ERS5500 Remark all other traffic to Bronze12.5.1 ERS5500 Configuration Using Policies Create PolicyERS5500 Assign the L2-ACL’s to ports 12.5.2 ERS5500 Configuration Using IP-ACL’sERS5500 Pass all other traffic with standard CoS Configuration Example 5 L2 and L3 Classification 12.6.1 ERS5500 Configuration Using PoliciesConfigure Classifier and Classifier Blocks ERS5500 Add L2 elements for Vlan 11012.7.1 ERS5500 Configuration Dscp Mapping via Un-restricted Port RoleACL Configuration Policy ConfigurationView the Queue Assignments ID IDVerify Shape Rate Configuration Configuration Example 7 Interface ShapingEnable Shaping on Port Software Baseline Reference DocumentationContact us
Top Page Image Contents